Created
September 10, 2020 23:46
-
-
Save seamustuohy/49fa8089206a5b4a7f763993ebc3f5bb to your computer and use it in GitHub Desktop.
Revisions
-
seamustuohy created this gist
Sep 10, 2020 .There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -0,0 +1,10 @@ // STRONTIUM: Detecting new patterns in credential harvesting // https://www.microsoft.com/security/blog/2020/09/10/strontium-detecting-new-patters-credential-harvesting/ // Microsoft Threat Protection (MTP) Query // Thanks Microsoft for not providing your own plain text version! I loved writing this from an image. IdentityLogonEvents | where Timestamp > ago(30d) | where ActionType == "LogonFailed" | where IPAddress startswith "185.220.101." or IPAddress startswith "199.249.230." or IPAddress startswith "23.129.64." or IPAddress startswith "109.70.100." or IPAddress startswith "185.220.102." | summarize authAttempts=dcount(Timestamp), firstAttempt=min(Timestamp), lastAttempt=max(Timestamp),uniqueIPs=dcount(IPAddress), uniqueAccounts=dcount(AccountObjectId),attemptedAccounts=make_set(AccountObjectId) by DeviceType, OSPlatform | sort by uniqueAccounts